Skip to content

Cisco Web Security Appliance

Cisco WSA

About

Cisco Secure Web Appliance protects your organization by automatically blocking risky sites and testing unknown sites before allowing users to click on them.

Product Details

Vendor URL: Cisco Secure Web Appliance

Product Type: Web proxy, network connection

Product Tier: Tier II

Integration Method: Syslog

Log Guide: What is logged in access log for HTTPS traffic User Guide for AsyncOS 11.0 for Cisco Web Security Appliances

Parser Details

Log Format: Custom

Expected Normalization Rate: 95-100%

Data Label: CISCO_WSA

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
GENERIC_EVENT metadata.event_type
Cisco WSA metadata.product_name
Cisco metadata.vendor_name
method network.http.method
http_response network.http.response_code
observer observer.hostname
client_ip principal.ip
acl_decision_tag security_resultacl_decision_label.key = ACLDecisionTag
custom_url_category security_resultcustom_url_label.key = CustomURLCategory
transaction_result_code security_resulttransaction_label.key = TransactionResultCode
data_source src.hostname
target_ip target.ip
target_port target.port
target_url target.url

Product Event Types

Event Type
All events

Log Sample

<14>Sep 29 10:29:04 host SYSLOGAccessLogs: Info: 1632932944.490 90 10.147.88.13 TCP_MISS/200 0 TCP_CONNECT 10.10.10.1:443 - DIRECT/url - PASSTHRU_WBRS_7-DefaultGroup-LCAB.AuthExemptSource.ID-NONE-NONE-NONE-DefaultGroup-NONE <"IW_comp",9.0,1,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,"IW_comp",-,"-","Computers and Internet","-","Unknown","Unknown","-","-",0.00,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-",-,-> - 0 "Information about computers and software, such as hardware, software, software support; information for software engineers, programming and networking; website design; the web and Internet in general; computer science; computer graphics and clipart. Freeware and Shareware is a separate 

Sample Parsing

metadata.event_timestamp = "2021-09-29T22:06:19.373454Z"
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Cisco"
metadata.product_name = "Cisco WSA"
metadata.ingested_timestamp = "2021-09-29T22:06:19.373454Z"
principal.ip = "10.40.42.70"
principal.asset.ip = "10.40.42.70"
src.hostname = "url"
src.asset.hostname = "sync"
target.port = 443
observer.hostname = "host"
security_result.about.labels.key = "CustomURLCategory"
security_result.about.labels.value = "IW_comp"
network.http.method = "TCP_CONNECT"

Parser Alerting

This product currently does not have any Parser-based Alerting